A Penetration Testing & Network Security Blog

rundll32 lockdown testing goodness

I was recently on a Windows 7 workstation lock-down test which had been implemented pretty effectively with the vast majority of file and folder, service and AppLocker applied rules and permissions preventing the majority of malicious actions.

However, I found that I was able to utilise rundll32.exe to attempt to enumerate/manipulate the environment. I couldn’t really find a good pentest related resource for leveraging rundll32 so thought I’d a put something together to highlight what I’d found to be useful.

All of the following commands have been tested on Windows 7 Ultimate, buts it’s worth bearing in mind that even if the command runs successfully you’ll still be restricted to the security context of the current user (but at least you’ll have a way of initiating the command / function that you may not have had before).

I’ve also refrained from referencing any Control Panel (.cpl) related commands, as these can all be trivially called from C:\Windows\System32 (and most weren’t executable during my engagement).

Note: The usage screenshots have been run from the command line for the sake of clarity, in reality you’re unlikely to have cmd.exe (or PowerShell) access and the rundll32 commands (and arguments) will need to be called via Windows shortcuts (as described towards the end of this post).

4. Trigger the .dll via the same method used with cmd.dll (above), i.e. via a shortcut: C:\Windows\System32\rundll32.exe c:\users\test123\desktop\pentest.dll,Control_RunDLL
We now have a full meterpreter session in the context of our standard user, but we’re now able to initiate privilege escalation etc. via the Metasploit framework 🙂

1 comment

Wish I had thought to look at your site prior to a job I had yesterday. Spent a while phone googling for an answer to pop the dsquery box up.

Good point regarding that one: the description field, filter on “exists” and go reading, often find dev accounts with passwords written in the comments, found 3 accounts yesterday, 1 with DA. boof. 🙂

P.S. VPN post is a third written, long way to go especially as the new wordpress v4.0 managed to lose half a draft it seems. 🙁 Also didn’t realise I never had you added to my interesting links section, will throw you in it.